Commit graph

104 commits

Author SHA1 Message Date
Mikael Ågren
460d310c73
fw: Fix qemu_firmware build warnings 2025-06-19 08:50:13 +02:00
Michael Cardell Widerkrantz
1fec28ff0d
doc: Complete copyright and licenses
- Point out licensing terms in docs.
- Add missing SPDX tags
- Update the SPDX checker to check all the files we want to check.
- Include spdx-ensure in CI.
2025-05-22 09:31:54 +02:00
Michael Cardell Widerkrantz
0d6e1d9ba5
fw: Add debug print when reading partition table fails 2025-05-20 13:50:55 +02:00
Michael Cardell Widerkrantz
8965fea947
Reset USB controller endpoints when starting
When starting, reset the USB controller to only enable the USB CDC
endpoint and the internal command channel. If the app resets firmware,
but had differend endpoints enabled, we want to go back to a known
state.
2025-05-16 17:09:13 +02:00
Mikael Ågren
53bc2d5fa0
fw: Update flash_write_data() to handle sizes larger than 4096 bytes 2025-05-15 16:13:30 +02:00
Mikael Ågren
5a9b77806f
fw: Return 0 on sys_alloc success, -1 on error
It is left to the app to keep track of whether it has had access to the
allocated area before.
2025-05-15 16:13:30 +02:00
Mikael Ågren
887883c8db
fw: Allow last storage area sector to be erased 2025-05-15 16:13:29 +02:00
Mikael Ågren
a2b77ec348
fw: Return reset() return value in TK1_SYSCALL_RESET 2025-05-15 14:14:39 +02:00
Mikael Ågren
9a3b4b9dca
fw: Use sizeof(resetinfo->app_digest) instead of hardcoded value 2025-05-15 14:14:38 +02:00
Michael Cardell Widerkrantz
48108cb3a2
fw: Build qemu_firmware with different linker script
The qemu_firmware is too large for the real hardware's 8k of ROM. The
emulator, however, has lots of ROM. Use a different linker script for
to reflect this.
2025-05-15 14:03:04 +02:00
Michael Cardell Widerkrantz
e935195846
fw: Add syscall TK1_SYSCALL_GET_APP_DATA
Add a new syscall to enable an app to get the data left for it by the
previous app in chain.

- Change testloadapp to leave some data for the next app to read.
- Call system call with:

  uint8_t next_app_data[RESET_DATA_SIZE];

  syscall(TK1_SYSCALL_GET_APP_DATA, (uint32_t)next_app_data, 0, 0);
2025-05-15 14:03:04 +02:00
Michael Cardell Widerkrantz
d83d659284
fw: Remove use of timer in flash operations
Since we want to keep the user of the timer to the device apps, remove
the use of the timer for implementing a delay when writing to flash.
Let's try without any delay what so ever, just busylooping the query
to the chip.
2025-05-06 17:52:09 +02:00
Michael Cardell Widerkrantz
4f4de4a07d
fw: Harmonize comment style 2025-05-06 17:52:09 +02:00
Michael Cardell Widerkrantz
f373ad3f68
fw: Introduce reset()
- New function reset.c:reset(). Move code from syscall handler switch
  to this function.

- Rename resetinfo.h to reset.h.
2025-05-06 17:52:05 +02:00
Michael Cardell Widerkrantz
9d1bbffbaa
fw: Remove unneeded variable
Instead of assigning error to a variable, just include the function
returning the error in the if case.
2025-04-29 22:00:54 +02:00
Michael Cardell Widerkrantz
0692dddbae
fw: Simplify error return codes
Since callees doesn't differentiate between different errors, we have
no list of what different error codes mean, just return -1 on all
errors.
2025-04-29 22:00:51 +02:00
Mikael Ågren
15a350da1e
fw: Set LED colors
- Set LED color to white when firmware has initialized
- Set LED color to black when changing state to loading
- Set LED color to blue when starting testloadapp
- Update mgmt app allowed digest since testloadapp changed
2025-04-29 21:58:50 +02:00
Michael Cardell Widerkrantz
3e8ff9671c
fw/tools: Change partition checksum to vanilla BLAKE2s
Instead of using 16 byte BLAKE2s with a dummy key, use plain vanilla
unkeyed 32 byte BLAKE2s for partition checksum.

Co-authored-by: Mikael Ågren <mikael@tillitis.se>
2025-04-29 21:58:50 +02:00
Michael Cardell Widerkrantz
66ea8df1d9
fw: Rename partition digest to checksum
- Rename functions, defines, et c to indicate that it's a checksum
  over the partition, not necessarily a cryptographic hash digest even
  though we use a version of BLAKE2s.

- Add comments describing where the checksum is stored and what it is
  used for.

Co-authored-by: Mikael Ågren <mikael@tillitis.se>
2025-04-29 21:54:06 +02:00
Michael Cardell Widerkrantz
106a7a5613
fw: Check flash app length to be within limits
Complain if the pre-loaded app on flash is larger than app RAM.

Co-authored-by: Mikael Ågren <mikael@tillitis.se>
2025-04-29 21:53:36 +02:00
Michael Cardell Widerkrantz
49d5a26a77
fw: Check syscall arg pointers to be in app RAM
When we pass pointers in system calls these pointers should point to
app RAM, not any other parts of the memory map, and especially not to
memory like FW_RAM that is only available in in a higher privilege
mode.

Co-authored-by: Mikael Ågren <mikael@tillitis.se>
2025-04-29 21:53:24 +02:00
Michael Cardell Widerkrantz
632b6d8fc7
fw: Limit flash offsets to be within sane limits
Limit flash offsets passed to syscalls. Be sure to check the limits
before doing any form of calculation with the passed values.

Co-authored-by: Mikael Ågren <mikael@tillitis.se>
2025-04-28 15:21:10 +02:00
Mikael Ågren
9c1bb53d7a
fw: Add ERASE_DATA syscall
Erase one or more flash sectors in app storage areas
2025-04-24 16:03:20 +02:00
Mikael Ågren
c5c6230664
fw: Replace custom picorv32 instructions when building for qemu 2025-04-24 16:03:01 +02:00
Michael Cardell Widerkrantz
2c1c05f180
fw: Add pre loaded flash app and flash data storage
- Add per app flash storage
  - Adds four data areas. An app can allocate an area. Once allocated
    the area is tied to the CDI of the app and can only be
    read/written/deallocated by the same app.
- Add two pre loaded app slots to flash
  - Load an app from the first slot at boot. The app digest must match a
    specific digest specified in firmware.
  - Optionally load an app from the second slot
- Add a resetinfo area in FW_RAM which is used to signal an app's intent
  of resetting the system and, optionally, pass data to firmware or the
  next app in a bootchain.

Co-authored-by: Jonas Thörnblad <jonas@tillitis.se>
Co-authored-by: Mikael Ågren <mikael@tillitis.se>
Co-authored-by: Daniel Jobson <jobson@tillitis.se>
2025-04-24 16:02:34 +02:00
Michael Cardell Widerkrantz
4841b1b127
fw: Use BLAKE2s functions from tkey-libs
Instead of using the firmware's own copy of BLAKE2s functions, use the
functions from tkey-libs.
2025-04-24 09:10:55 +02:00
Michael Cardell Widerkrantz
3dbc31f54c
fw: Move tk1_mem.h to tkey-libs
From now on the canonical home of the tk1_mem.h header file describing
the memory map of the TKey lives in tkey-libs:

https://github.com/tillitis/tkey-libs
2025-03-13 11:07:47 +01:00
Michael Cardell Widerkrantz
cd1a089763
fw: Build with tkey-libs
Build firmware, testfw and testapp using tkey-libs:

  https://github.com/tillitis/tkey-libs

In an effort not to have more or less identical code maintained in two
places, use tkey-libs when developing firmware, testfw and the
firmware testapp, too.

You can place the Git directory directly under hw/application_fpga
and then an ordinary make should work.

Or build with:

  make LIBDIR=/path/to/tkey-libs

Co-authored-by: Mikael Ågren <mikael@tillitis.se>
2025-03-13 11:07:36 +01:00
Mikael Ågren
9e317666d3
fpga/fw: Remove SYSTEM_MODE_CTRL register 2025-02-27 14:29:07 +01:00
Michael Cardell Widerkrantz
df04fd56dd
fpga/fw: Introduce syscall TK1_SYSCALL_GET_VIDPID
Introduce new syscall TK1_SYSCALL_GET_VIDPID to get Vendor ID and
Product ID from the protected Unique Device Identification number.

UDI is protected from device apps to protect the serial number, so
apps won't know the exact TKey they are running on other than the CDI.
It may, however, be important to know what *kind* of TKey they are
running on, so we want to expose the Vendor ID and Product ID.

- fpga: Allow UDI to be read when doing syscalls.
- Add the new syscall to firmware.
- Add test to testapp directly after negative test of reading UDI to
  read out VID/PID through a syscall.
2025-02-27 14:29:07 +01:00
Mikael Ågren
d82c3a706e
fw: Add syscalls
Adds:
- SYSCALL_RESET
- SYSCALL_SET_LED

Co-authored-by: Michael Cardell Widerkrantz <mc@tillitis.se>
2025-02-27 14:27:05 +01:00
Michael Cardell Widerkrantz
5eb020275b
fpga/fw/testfw: Remove Blake2s register
Since the introduction of the syscall mechanism we don't allow
execution in ROM anymore so it's impossible to call the firmware's
blake2s() function.

Co-authored-by: Mikael Ågren <mikael@tillitis.se>
2025-02-27 14:20:38 +01:00
Mikael Ågren
97de5e68fd
fpga/fw: Rename system_mode to app_mode
Rename `system_mode` to `app_mode` as to not confuse it with syscall or
firmware mode. When `app_mode` is `1`/`true` we are in app mode.
2025-02-27 14:20:37 +01:00
Jonas Thörnblad
8f2f312531
fpga/fw: Resize ROM and FW_RAM, add RESETINFO partition
In order to be able to leave data for firmware signalling the
intention with a reset or to leave data for the next app in a chain of
apps, we introduce a part of FW_RAM that can be used to store this
data. In order to do this, we:

- Change size of ROM from 6 KB to 8 KB.
- Change size of FW_RAM, from 2 KB to 4 KB.
- Add RESETINFO memory partition inside FW_RAM.
- Add generation of map file.
- Change CFLAGS from using -O2 to using -Os.
- Update address ranges for valid access to ROM and FW_RAM.
- Move stack to be located before data+bss and the RESETINFO data
  above them. This also means we introduce hardware stack overflow
  protection through the Security Monitor.
- Revise firmware README to the new use of FW_RAM.
2025-02-21 11:15:34 +01:00
Jonas Thörnblad
04ec938200
ch552: Add new USB debug pipe (TKEYCTRL)
Make the CH552 present a new HID endpoint used for debug data.
2025-02-11 13:50:05 +01:00
Mikael Ågren
a0c031eb25
fw: Minimal CDC implementation of new framing protocol
Throwing away mode and length from incoming data. Adding mode and
length to outgoing data.

Splitting responses into frames small enough for the USB<->UART
transceiver to handle.
2025-02-11 13:50:03 +01:00
Jonas Thörnblad
15ce2c438b
Add needed changes to firmware for simulation. 2024-11-28 16:10:00 +01:00
Jonas Thörnblad
aea2e319eb
Harmonize the naming of firmware and app mode.
- The API changes name from `_SWITCH_APP` to `_SYSTEM_MODE_CTRL`.
- The registers and wires changes name to `system_mode_*`, instead of a
  mix of `switch_app_*` and `fw_app_mode`.
2024-11-12 15:13:59 +01:00
Daniel Jobson
f13366538e
fw: Fix erroneous type in frame header 2024-10-09 15:52:00 +02:00
Daniel Jobson
81950ef7b2
fw: remove warning of missing prototypes when building with QEMU console
enabled.
2024-09-19 16:52:04 +02:00
Daniel Jobson
613316f53e
fw: simplify how to enable QEMU debug in firmware.
- Remove the define `NOCONSOLE`, add define `QEMU_CONSOLE`
- Inverse the use of it, add the define to have QEMU debug output in fw.
- Add a make target `qemu_firmware.elf` which builds the firmware with
  QEMU console enabled.

Co-authored-by: Mikael Ågren <mikael@tillitis.se>
2024-09-19 16:51:55 +02:00
Joachim Strömbergson
53c5e70795
FPGA: Update names for RAM randomization API
Update:
- README
- testbench
- Symbolic names and variables in fw
- registers
- port name and wires
- Update fpga and fw digests

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-07-10 13:45:26 +02:00
dehanj
b4c525695a
Remove redundant RAM address and data scrambling
The RAM address and data scrambling API was called twice, once before filling
RAM with random values, and once after. Since moving to a significantly
better PRNG (xorwow) this is now deemed unnecessary. See issue #225.

This changes both FPGA and firmware hashes.
2024-06-13 12:54:47 +02:00
Joachim Strömbergson
92712a11bf
fw: zeroise FW-RAM instead of RAM
Modify the loop to zeroise the FW-RAM instead of the
RAM. RAM is filled with random data at the start of main().

Changes firmware and bitstream digests.

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-06-12 18:11:10 +02:00
Joachim Strömbergson
eade3e11c5
Fill RAM with random data using xorwow.
xorwow provides significantly better random data, compared to previously
used function. Making it harder to predict what data RAM is filled with.
It adds a startup time of approx 80 ms, but can be compensated with
optimising other parts of the startup routine.

This changes both firmware and fpga hashes.

Signed-off-by: Joachim Strömbergson <joachim@assured.se>
2024-06-11 11:15:00 +02:00
dehanj
4bd249816a
fw: Remove unused header includes 2024-03-26 13:09:06 +01:00
dehanj
3a6a60ff26
fw: Protect zeroisation against compiler optimisation.
The memset() responsible for the zeroisation of the secure_ctx under
the compute_cdi() function in FW's main.c, was optimised away by the
compiler. Instead of using memset(), secure_wipe() is introduced
which uses a volatile keyword to prevent the compiler to try to
optimise it. Secure_wipe() is now used on all locations handling
removal of sensitive data.
2024-03-26 13:09:01 +01:00
Michael Cardell Widerkrantz
09c1f3f549
Silence splint somewhat
The only real changes are some unitialized variables and that we now
make explicit that we don't care about the return value from memset().
2024-03-22 11:03:13 +01:00
Michael Cardell Widerkrantz
4d4db70590
fw: Change ASLR name in MMIO
Use _RAM_ADDR_RAND instead of _RAM_ASLR since this is not OS-level
ASLR we're talking about. It's address randomization as seen from
outside of the CPU, not from the process running inside it. Ordinary
ASLR is visible from the CPU.
2024-03-19 14:36:31 +01:00
Michael Cardell Widerkrantz
e085d0ebd0
Add void to function signatures meant to be used without args 2024-03-19 08:41:39 +01:00